[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Best practice: DNS location
Well, SANS Instute tops the dns attack in the top ten list of vulnerabilities. http://www.sans.org/topten.htm You check this link out; http://packetstorm.securify.com/exploits/apps/bind/ If you refer to the book "DNS & BIND, second edition"by Cricket Liu & Paul Albitz, and you READ chapter 10 "Advanced Features and Security" CAREFULLY, you can properly secure your dns server.Of course, you must installe the last version of bind, it's like any other product, you must keep up to date for many reason, like security!! Now, where you will place your dns server, bah...on a firewall or a dedicate machine, can you install the last version of bind on a NT machine( the firewall is on a NT machine)? if not you can put it on a dedicate machine. Of course on a screened network...or a dmz..... - Dan Will Schwartz wrote: > I would have your public DNS on a DMZ. I would house your private DNS on the > LAN. The Public DNS should only contain the DNS records that you absolutely > need to run, your internal DNS can have the rest. No one should connect to > your internal DNS from the outside. You can setup a forwarding on your > internal DNS to query your external DNS. I would never run DNS on a > firewall, it is too insecure. One of the most common things to hack is DNS. > I would dedicate a machine to it. > > HTH > ~will > > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > Chinnery Paul > Sent: Thursday, October 12, 2000 3:22 PM > To: [email protected] > Subject: [FW1] Best practice: DNS location > > Currently using FW 4.0 on an NT 4.0 network. > Our ISP wants us to install our own DNS and use them as secondary. > My question is where the DNS should be: should it be on our firewall server > or on our internal network. We are using NAT. > > ============================================================================ > ==== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================================ > ==== > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|